When live-migrating an operating system from one virtual machine to another, what it the least amount of privileges needed? Can we guarantee the integrity and access to service of innocent virtual machines (VMs) on a host, while still allowing untrusted users to submit new VMs for execution on that same host, through the network? How can we prevent privileged network-facing control pane software from posing a security risk to user VMs? These questions are addressed in our 'Self-Migration of Operating Systems' project.
Building on our experiences with the NomadBIOS project (the first system implementing live OS-migration), we are building a new system for live OS-migration on top of the Xen Virtual Machine Monitor, where mobile Linux OSes migrate autonomously between hosts, while paying for resources using a simple token currency.
On the sending side, our mobile Linux is completely self-migrating, using its own paging facilities and TCP/IP stack for obtaining and transferring a consistent checkpoint of itself onto a target host.
On the receiving side, we assume only a trusted minimal bootstrapping mechanism that is capable of receiving and verifying an encrypted token and thereafter starting an unprivileged TCP/IP stack which receives a self-inflating image of the incoming OS.
Currently self-migration and self-inflation works well, with OS migration downtime as low as 50ms. We are working on the token mechanism, which is modelled after Laundromat tokens. It will allow users to pay for resources as these are consumed, in response to application progress, and without having to commit to a large investment up front.
Professor, Eric Jul, will also be present for this lecture.